The optimal setup for persistence and security that meets the above requirements would be the following?

By:
In: SAP-C01
Tagged:
With: 1 Comment
Your team has a tomcat-based Java application you need to deploy into development, test and production environments.After some research, you opt to useElastic Beanstalk due to its tight integration with your developer tools and RDS due to its ease of management.Your QA team lead points out that you need to roll a sanitized set of production data into your environment on a nightly basis.Similarly, other software teams in your org want access to that same restored data via their EC2 instances in your VPC.The optimal setup for persistence and security that meets the above requirements would be the following.

Create your RDS instance as part of your Elastic Beanstalk definition and alter its security group to allow access to it from hosts in your application subnets.

Create your RDS instance separately and add its IP address to your application’s DB connection strings in your code Alter its security group to allow access to it from hosts within your VPC’s IP address block.

Create your RDS instance separately and pass its DNS name to your app’s DB connection string as an environment variable. Create a security group for client machines and add it as a valid source for DB traffic to the security group of the RDS instance itself.

Create your RDS instance separately and pass its DNS name to your’s DB connection string as an environment variable Alter its security group to allow access to It from hosts in your application subnets.

Explanations:

Creating the RDS instance as part of the Elastic Beanstalk definition can lead to limitations in flexibility and management. It’s better to manage the RDS instance separately to allow more control over its lifecycle and configuration. Additionally, relying solely on application subnets for security may restrict access for other teams and environments.

While creating the RDS instance separately is a good practice, hardcoding the IP address in the application’s DB connection strings is not advisable due to potential changes in the IP address and lack of flexibility. It also poses security risks and complicates scaling or changes in the infrastructure.

This option allows for a clean separation of the RDS instance from the application, facilitating easier management and maintenance. Passing the DNS name as an environment variable enhances flexibility, allowing for easier updates to the connection string. Creating a specific security group for client machines enables controlled access and can accommodate multiple teams requiring access to the database without hardcoding IP addresses.

Similar to option A, this approach ties the RDS instance to the application subnets, which limits access for other software teams needing to connect from their EC2 instances. While passing the DNS name as an environment variable is a positive aspect, the restricted access policy diminishes the effectiveness of data sharing across teams.

2025-10-15

1 Comment

  1. Joshua
    Author

    I deduce that the answer is:
    Create your RDS instance separately and pass its DNS name to your app’s DB connection string as an environment variable. Create a security group for client machines and add it as a valid source for DB traffic to the security group of the RDS instance itself.

Leave a Reply

Your email address will not be published. Required fields are marked *

fourteen − twelve =